Privacy Act reforms 2026: what boards and businesses need on the cyber radar

Introduction

The Privacy Act reforms now reshaping the obligations on Australian business are not a single future event. They are a sequence, set in motion by the Privacy and Other Legislation Amendment Act 2024 (Cth). Some changes are already live and creating real exposure today. One significant change lands on 10 December 2026, which is close enough that the work to be ready genuinely needs to start this financial year.

This is the position as at June 2026. For directors and boards, the practical question is no longer whether privacy is a compliance matter for management to handle quietly. It is a governance and risk question that sits squarely on the board agenda, alongside the organisation’s other material risks. This article sets out the three reforms a board should understand, why each one matters commercially, and what to ask and do before the year is out.

Three dates anchor the picture. On 11 December 2024, the OAIC’s new infringement and compliance notice powers and the tiered civil penalty regime took effect. On 10 June 2025, the statutory tort for serious invasions of privacy commenced. And on 10 December 2026, automated decision-making transparency must appear in privacy policies, the same date by which a Children’s Online Privacy Code is to be registered.

This is a legal frame, not a technology frame. The obligations come from legislation and from the regulator’s enforcement posture. Getting them right is about decisions made at board level, documented advice, and a plan that has been tested before it is needed.

A new personal right to sue: the statutory tort

On 10 June 2025, a statutory tort for serious invasions of privacy commenced. As at June 2026 it is about a year old, which means claims under it are a live possibility, not a theoretical one. Individuals can now personally bring an action for a serious invasion of their privacy.

The tort covers two limbs:

• Intrusion upon seclusion: This concerns intrusion into a person’s private affairs, for example unauthorised access to their personal devices, accounts or physical space.
• Misuse of information: This concerns the misuse of information that relates to a person, for example collecting, using or disclosing it in a way that seriously invades their privacy.

The important shift is who can act. Before this, privacy enforcement in Australia ran largely through the Office of the Australian Information Commissioner (OAIC). The statutory tort adds a direct, personal avenue: an affected individual can pursue the matter themselves. That changes the risk profile of a data incident. A breach of personal information is now not only a regulatory matter and a reputational matter, but also a potential source of individual claims.

For a board, the practical effect is that the consequences of mishandling personal information have widened. The mitigating factors look familiar to anyone who runs governance well: clear accountability for personal information, sound collection and handling practices, and a tested response when something goes wrong.

OAIC penalties and a regulator now checking proactively

The 2024 reforms strengthened the regulator’s hand. From 11 December 2024, the OAIC gained the power to issue infringement notices and compliance notices, and a new tiered civil penalty regime came into effect. The figure most often cited among the OAIC penalties is the top-tier civil penalty for serious or repeated interference with privacy, which can reach up to $50 million.

For most organisations the practical change is not the headline maximum but the new mid and low tiers and the infringement and compliance notice powers, which give the regulator realistic, proportionate ways to act on everyday non-compliance.

The other change in posture is just as relevant. In January 2026, the OAIC began its first proactive privacy compliance sweep. It examined around 60 organisations across six sectors. The named sectors include real estate agencies, chemists, licensed venues, car rental businesses, car dealerships, and pawnbrokers and second-hand dealers. The signal matters more than the specific list. The regulator is no longer only responding to breaches and complaints after the fact. It is now proactively examining how organisations handle personal information, which means a business can come under scrutiny without anything having gone wrong first.

A board should treat that as a prompt. If the regulator may come and look, the organisation should be able to show what its privacy practices actually are, in writing, and demonstrate that they are followed.

Automated decision-making and the privacy policy obligation from 10 December 2026

The reform with the clearest deadline is the automated decision-making (ADM) transparency obligation. From 10 December 2026, APP entities must disclose in their privacy policy where computer programs make, or substantially help make, decisions that could significantly affect an individual. The disclosure must cover the kinds of personal information used and the kinds of decisions made.

As at June 2026, that is roughly six months away, which is a genuine reason to start the work this financial year. The reason it cannot wait until the deadline approaches is that two things have to be true before the disclosure can be written.

The first is knowing where the organisation actually uses automated systems. To disclose automated decision-making accurately in a privacy policy, an organisation has to know where it is using automated systems to make or materially influence decisions about people. That can include credit and eligibility decisions, pricing, fraud and risk scoring, and increasingly the use of AI tools embedded in everyday software. Mapping that is a project, not a paragraph.

The second is making sure the disclosure is true. A privacy policy that understates or misdescribes how decisions are made is a privacy policy that can mislead. Getting it accurate means involving the people who own those systems and confirming what they actually do.

For most businesses, ADM transparency is the most concrete near-term ADM-related obligation on the calendar. A separate development to keep on the radar is the Children’s Online Privacy Code, which is also to be registered by 10 December 2026 and which is likely to matter to organisations whose services reach children.

A note for SMEs and family businesses

Many smaller businesses assume the small-business exemption keeps the Privacy Act at arm’s length. It is true that many businesses with annual turnover of $3 million or less are currently exempt. Even so, two things should give a smaller business pause. The exemption is under review and is expected to narrow, so planning to rely on it indefinitely is risky. And it already does not apply to several common situations, including health service providers, businesses that trade in personal information, and credit reporting bodies. If your organisation falls into one of those categories, you are inside the Act regardless of size. A short check of whether the exemption actually applies to you is a sensible item for the board to confirm.

What a board should ask and do this financial year

These reforms reward boards that treat privacy as a standing governance matter rather than a periodic clean-up. A board can make real progress this year by asking management for clear answers to a short set of questions, and by acting on the gaps.

• Who owns privacy and cyber risk, and how does it reach the board? There should be a named accountable owner and a regular reporting cadence, not an ad hoc arrangement.
• Is our privacy policy current, and are we ready for ADM disclosure by 10 December 2026? Ask for a plan with a timeline, not a reassurance.
• Have we mapped where we use automated decision-making? The disclosure depends on this work being done.
• Do we have a tested data-breach response plan? Under the Notifiable Data Breaches scheme (Part IIIC of the Privacy Act 1988), an eligible breach must be notified to the OAIC and affected individuals as soon as practicable, and a suspected eligible breach must generally be assessed within 30 days. A plan that has been rehearsed is worth far more than one that has only been written.
• Could we show the regulator how we handle personal information? Given the OAIC’s proactive sweep, the ability to evidence good practice is itself a control.

If you want a structured way to walk through these questions before your next board meeting, our free Cyber Readiness Checklist covers the same ground in a practical format.

A useful way to package the answers for the board is an annual cyber and privacy report: a single, current document that records the organisation’s posture, its regulator-readiness against the relevant obligations, and the directors’ oversight of the risk. It gives the board something concrete to review and approve, and it creates a record that the organisation took its obligations seriously.

How GRM LAW helps

GRM LAW’s Cyber Law & Advisory practice, supervised by founding partner Gavin McInnes, an Accredited Specialist in Business Law, helps boards turn these reforms into a clear plan. We advise on privacy compliance and ADM readiness, prepare the board’s annual cyber report (our Cyber Annual Report engagement), and provide AI Governance Counsel for the automated decision-making and AI questions that sit underneath the ADM obligation. We are the same partners who already structure your deals, working as your lawyers, which keeps the advice commercial and grounded in your business. Where a lawyer directs the response to an incident, that legal frame can also extend privilege over the work-product when the engagement is properly scoped.

If you want a clear read on where your organisation stands before the next board cycle, the simplest first step is to book a scoping call with GRM LAW’s specialist cyber and privacy lawyers.

Frequently Asked Questions

Disclaimer: This is general information only and is not legal advice. For advice on your circumstances, contact GRM LAW.